Skip to content

Quickstart Video Tutorials

Useful starting place to see what you can do in SnapAttack.

Searching / Finding Content

Free-form text search

You can use free-form search for words in the title, description, tags, as well as in the detection logic. Here we are searching for the infamous Microsoft Office 0-day exploit "Follina"

Find all high confidence / validated detections against a specific ATT&CK technique

Find all high confidence (low false positive), validated (tested) detections targeting credential dumping via LSASS.

Find all CrowdStrike compatible detections relying on process creation logs

Search for all valid detections that work with CrowdStrike process creation events

From a log in Splunk, find what attack created it and import it to the detection builder

From a log in Splunk, you can both find what captured threat it came from, or import it into the detection builder to create a detection against it.

Deploying Detections

One-click search with magnifying glass

Push detection to your SIEM/EDR via API

Attack Simulations

Install and configure attack simulation agent

Launch an attack simulation and view results

Using Training Mode

Entering and exiting training mode

Creating New Detections

Create a process creation detection from the process graph

Create a detection from a non-process log from Splunk

Sometimes you have to dig deeper than process creation logs. You can use the dashboard to filter down and find file, registry, network, and a number of other log types to build detections with. Here we saw procdump writing a .dmp file (which is quite common for LSASS/SAM dumping tools)

Import or edit a Sigma detection using the advanced editor

Capturing New Threats

Capture a threat using our infrastructure on-demand

Installing CapAttack on your infrastructure

Capture an threat using your infrastructure

Four ways of labeling attacks (adding red stars)

Labeling an attack (via red star) at the moment of the attack not only helps visually narrow down critical time areas, it also helps automate the process of validating detections as true positives. Upon creating a new captured threat, the author should label the major attacks. There are multiple ways to add them. In order of preference:

  1. Confirming an existing detection that hit on the event
  2. Finding the malicious process in the process graph
  3. Finding the malicious log in the Splunk dashboard
  4. Labeling by time by pausing the video

Creating New Collections

Create a new collections

Add one piece of content to a collection

Bulk deploying collection of detections